Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 19:48
Behavioral task
behavioral1
Sample
JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe
-
Size
1.3MB
-
MD5
e47a9049e6ce57ce55e007018ab5fadd
-
SHA1
4f1f26d30d411f4a84a392fa5f2e1d106f678a68
-
SHA256
0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0
-
SHA512
b3d913f2b1e433f88420fa5cecc25dadf9d82059898ded0698013d4f6cbd29e254b19b1982a1e70e1f7509153a5b5c8b7ee140d245a80f89d0b6a10904e0bbd1
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 720 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 32 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 32 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b64-10.dat dcrat behavioral2/memory/2244-13-0x00000000008E0000-0x00000000009F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1488 powershell.exe 3188 powershell.exe 3740 powershell.exe 1460 powershell.exe 3936 powershell.exe 3452 powershell.exe 3132 powershell.exe 3056 powershell.exe 2980 powershell.exe 1140 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SppExtComObj.exe -
Executes dropped EXE 15 IoCs
pid Process 2244 DllCommonsvc.exe 4056 DllCommonsvc.exe 2736 DllCommonsvc.exe 4200 SppExtComObj.exe 2904 SppExtComObj.exe 4028 SppExtComObj.exe 3664 SppExtComObj.exe 4080 SppExtComObj.exe 4116 SppExtComObj.exe 2432 SppExtComObj.exe 1128 SppExtComObj.exe 3404 SppExtComObj.exe 4444 SppExtComObj.exe 4584 SppExtComObj.exe 3508 SppExtComObj.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 16 raw.githubusercontent.com 30 raw.githubusercontent.com 35 raw.githubusercontent.com 41 raw.githubusercontent.com 45 raw.githubusercontent.com 46 raw.githubusercontent.com 48 raw.githubusercontent.com 15 raw.githubusercontent.com 52 raw.githubusercontent.com 53 raw.githubusercontent.com 54 raw.githubusercontent.com 55 raw.githubusercontent.com 58 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\AdvancedInstallers\smss.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings SppExtComObj.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3708 schtasks.exe 3536 schtasks.exe 720 schtasks.exe 1044 schtasks.exe 1552 schtasks.exe 2728 schtasks.exe 5060 schtasks.exe 4884 schtasks.exe 4940 schtasks.exe 1964 schtasks.exe 636 schtasks.exe 820 schtasks.exe 2016 schtasks.exe 3532 schtasks.exe 3368 schtasks.exe 5048 schtasks.exe 4584 schtasks.exe 2452 schtasks.exe 2064 schtasks.exe 1056 schtasks.exe 2164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2244 DllCommonsvc.exe 1488 powershell.exe 3452 powershell.exe 3188 powershell.exe 1488 powershell.exe 3452 powershell.exe 3188 powershell.exe 4056 DllCommonsvc.exe 3740 powershell.exe 1460 powershell.exe 3056 powershell.exe 3132 powershell.exe 1460 powershell.exe 3132 powershell.exe 3740 powershell.exe 2736 DllCommonsvc.exe 3056 powershell.exe 3936 powershell.exe 2980 powershell.exe 1140 powershell.exe 1140 powershell.exe 2980 powershell.exe 3936 powershell.exe 1140 powershell.exe 4200 SppExtComObj.exe 4200 SppExtComObj.exe 2904 SppExtComObj.exe 4028 SppExtComObj.exe 3664 SppExtComObj.exe 4080 SppExtComObj.exe 4116 SppExtComObj.exe 2432 SppExtComObj.exe 1128 SppExtComObj.exe 3404 SppExtComObj.exe 4444 SppExtComObj.exe 4584 SppExtComObj.exe 3508 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2244 DllCommonsvc.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 3452 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeDebugPrivilege 4056 DllCommonsvc.exe Token: SeDebugPrivilege 3740 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeDebugPrivilege 2736 DllCommonsvc.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 4200 SppExtComObj.exe Token: SeDebugPrivilege 2904 SppExtComObj.exe Token: SeDebugPrivilege 4028 SppExtComObj.exe Token: SeDebugPrivilege 3664 SppExtComObj.exe Token: SeDebugPrivilege 4080 SppExtComObj.exe Token: SeDebugPrivilege 4116 SppExtComObj.exe Token: SeDebugPrivilege 2432 SppExtComObj.exe Token: SeDebugPrivilege 1128 SppExtComObj.exe Token: SeDebugPrivilege 3404 SppExtComObj.exe Token: SeDebugPrivilege 4444 SppExtComObj.exe Token: SeDebugPrivilege 4584 SppExtComObj.exe Token: SeDebugPrivilege 3508 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 3096 2428 JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe 83 PID 2428 wrote to memory of 3096 2428 JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe 83 PID 2428 wrote to memory of 3096 2428 JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe 83 PID 3096 wrote to memory of 408 3096 WScript.exe 85 PID 3096 wrote to memory of 408 3096 WScript.exe 85 PID 3096 wrote to memory of 408 3096 WScript.exe 85 PID 408 wrote to memory of 2244 408 cmd.exe 87 PID 408 wrote to memory of 2244 408 cmd.exe 87 PID 2244 wrote to memory of 1488 2244 DllCommonsvc.exe 96 PID 2244 wrote to memory of 1488 2244 DllCommonsvc.exe 96 PID 2244 wrote to memory of 3188 2244 DllCommonsvc.exe 97 PID 2244 wrote to memory of 3188 2244 DllCommonsvc.exe 97 PID 2244 wrote to memory of 3452 2244 DllCommonsvc.exe 98 PID 2244 wrote to memory of 3452 2244 DllCommonsvc.exe 98 PID 2244 wrote to memory of 4040 2244 DllCommonsvc.exe 102 PID 2244 wrote to memory of 4040 2244 DllCommonsvc.exe 102 PID 4040 wrote to memory of 368 4040 cmd.exe 104 PID 4040 wrote to memory of 368 4040 cmd.exe 104 PID 4040 wrote to memory of 4056 4040 cmd.exe 106 PID 4040 wrote to memory of 4056 4040 cmd.exe 106 PID 4056 wrote to memory of 3740 4056 DllCommonsvc.exe 116 PID 4056 wrote to memory of 3740 4056 DllCommonsvc.exe 116 PID 4056 wrote to memory of 1460 4056 DllCommonsvc.exe 117 PID 4056 wrote to memory of 1460 4056 DllCommonsvc.exe 117 PID 4056 wrote to memory of 3132 4056 DllCommonsvc.exe 118 PID 4056 wrote to memory of 3132 4056 DllCommonsvc.exe 118 PID 4056 wrote to memory of 3056 4056 DllCommonsvc.exe 119 PID 4056 wrote to memory of 3056 4056 DllCommonsvc.exe 119 PID 4056 wrote to memory of 2736 4056 DllCommonsvc.exe 124 PID 4056 wrote to memory of 2736 4056 DllCommonsvc.exe 124 PID 2736 wrote to memory of 2980 2736 DllCommonsvc.exe 131 PID 2736 wrote to memory of 2980 2736 DllCommonsvc.exe 131 PID 2736 wrote to memory of 1140 2736 DllCommonsvc.exe 132 PID 2736 wrote to memory of 1140 2736 DllCommonsvc.exe 132 PID 2736 wrote to memory of 3936 2736 DllCommonsvc.exe 133 PID 2736 wrote to memory of 3936 2736 DllCommonsvc.exe 133 PID 2736 wrote to memory of 4200 2736 DllCommonsvc.exe 137 PID 2736 wrote to memory of 4200 2736 DllCommonsvc.exe 137 PID 4200 wrote to memory of 2124 4200 SppExtComObj.exe 139 PID 4200 wrote to memory of 2124 4200 SppExtComObj.exe 139 PID 2124 wrote to memory of 952 2124 cmd.exe 141 PID 2124 wrote to memory of 952 2124 cmd.exe 141 PID 2124 wrote to memory of 2904 2124 cmd.exe 144 PID 2124 wrote to memory of 2904 2124 cmd.exe 144 PID 2904 wrote to memory of 3704 2904 SppExtComObj.exe 147 PID 2904 wrote to memory of 3704 2904 SppExtComObj.exe 147 PID 3704 wrote to memory of 4284 3704 cmd.exe 149 PID 3704 wrote to memory of 4284 3704 cmd.exe 149 PID 3704 wrote to memory of 4028 3704 cmd.exe 151 PID 3704 wrote to memory of 4028 3704 cmd.exe 151 PID 4028 wrote to memory of 3316 4028 SppExtComObj.exe 162 PID 4028 wrote to memory of 3316 4028 SppExtComObj.exe 162 PID 3316 wrote to memory of 4996 3316 cmd.exe 164 PID 3316 wrote to memory of 4996 3316 cmd.exe 164 PID 3316 wrote to memory of 3664 3316 cmd.exe 166 PID 3316 wrote to memory of 3664 3316 cmd.exe 166 PID 3664 wrote to memory of 4760 3664 SppExtComObj.exe 168 PID 3664 wrote to memory of 4760 3664 SppExtComObj.exe 168 PID 4760 wrote to memory of 2764 4760 cmd.exe 170 PID 4760 wrote to memory of 2764 4760 cmd.exe 170 PID 4760 wrote to memory of 4080 4760 cmd.exe 172 PID 4760 wrote to memory of 4080 4760 cmd.exe 172 PID 4080 wrote to memory of 3996 4080 SppExtComObj.exe 175 PID 4080 wrote to memory of 3996 4080 SppExtComObj.exe 175 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ea1556410c69ba5f14ac55a2aaed25a79070fbefa7992f9ebc1bf40be4f53f0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GU7tWfSH3L.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:368
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:952
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:4284
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:4996
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2764
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"17⤵PID:3996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:720
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"19⤵PID:1256
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1436
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"21⤵PID:4788
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:4420
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"23⤵PID:4564
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2712
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"25⤵PID:3836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:4780
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"27⤵PID:796
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4624
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"29⤵PID:3912
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:1884
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GsZYO5BIqk.bat"31⤵PID:2548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\providercommon\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5dbb22d95851b93abf2afe8fb96a8e544
SHA1920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA51216031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc
-
Filesize
944B
MD58ab6456a8ec71255cb9ead0bb5d27767
SHA1bc9ff860086488478e7716f7ac4421e8f69795fb
SHA256bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2
SHA51287c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15
-
Filesize
612B
MD51f6d760b43e4a24e99a014099fe29bda
SHA1b2e8ec3c789ddeb08e7d8200d09a2975b6785124
SHA2566c44fd23d96f1d83b2b53898555cf45f66794bfb704840d4f9efb6c4436ac381
SHA51208d46c1e9c809e99918cb1a23cb113c87cfe747680900499de3b1f245ac244f2133ef67469b9d699fa03af8a886c9e1655827e71c3f2559a1fbe5f2771cfb264
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD50aa63dbb46d451e47a7a682c64af776d
SHA13b0026f2dae8e9c491ccaa40133755779de35aaa
SHA2569158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b
SHA5124d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f
-
Filesize
280B
MD5379a87604a8f73420131ad2e5c29086b
SHA1519f1c69c7015d908e1262d2acf36fa8ee1d8dbd
SHA25617d68e34026cab17cfae5dd79a73d580da3e5a611de7a56605a02f20f9b4dbab
SHA51222d9d173e37c5f0df4696fd272269d2d76b8b7f9823d95d5264e46b7b08358fb7ffe2217d7de8b1c09ee0eabc6690f586844d63271a7b36ac0980a44e100a3c8
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
203B
MD5691c5b707acb69c2f1369a9a08623d24
SHA10cc41b3c3c1236cdcf73805aac6c8f624538b112
SHA2569de49030ad18ce656a48c9cc54b7e03a43c6bf59de6dc4d165b8375065260da2
SHA51297301e1c94dddc83a766f92ad9865f630024dc0d8f6ec4ca0bd863d0e196f4cd2e5418463c9cadf3a06cf1eb2a3df987dc4ef8b3cf06c7727eae619ae4980b4c
-
Filesize
203B
MD51bc0f9d741dbc95a57bbe70be30e377d
SHA13496e783b04bcaab15b3e6f03c10cbda0e5ebee9
SHA256217d180cc1dce968abe6d7b800c80bf7a6581b51c7837c6db8c355a8a1d32409
SHA512c441b1010ce172aa5aeb0ebf1beb476e9d762c3f6d21abc309a43d2aac7b94fe827faf0dc474663e868e9e436a24515f76b8a13cbfc40658d50667ce4fed6e79
-
Filesize
203B
MD5b28b37a711f6a74ff9900b3c715e0bbd
SHA11067b8d2fc15fb493a5a52c11fea2550b2cece59
SHA25678c37af7c839635e51b9bfc4a51902b552ecf582ec983a54e3477e2f7a962fe0
SHA512cbe2a1a9e26a536a5ada31603d5917d1a5ccb8057ed58a3595d191b5cd929e4f834a376e70a27126dddd623f62534e7c9f66c91df5b94d10c5b527209dfb6550
-
Filesize
199B
MD53f933a259fb9ea502ed0796fdb3445b9
SHA1b23655836cd601ac70cf8cb03c4b6daa3bd50f34
SHA256e5941f84574410ae278c8340bfe0c838587ea5330a1fe8cd65a46e56d2b5526f
SHA512e8330161d5d8469344acd568529175559ef3d10addde689bdaec95ee208771dcdf83979318a7537fbd69dc3fb0a3946be5eb420e99b4a10a79001125663f8794
-
Filesize
203B
MD544be7a85b07c93c6be3b5c5920bf40fc
SHA128e7529da9641893c619378a2315b39b149dd7fd
SHA256cd748c89fd3524b25eb632ae2c238fd5c0b51ffbec5837454ef6fba11f5b9053
SHA5127040186f73e26a3e32f1084aa1a1b0ff45ad48d982f7fc66f90fe7843741e9c5119f80228462166709fa256d65ee1d936c6145e6bf831c7382893c1c294d6524
-
Filesize
203B
MD5054c65a01f32d78f683d3f46d420c8ab
SHA197f61128c370591610598312b07380616165e329
SHA256e2ecebbc2680fcce963d9abdbe9890f44b7220de810192ab07879e530800116f
SHA5120223d34cbbd29c2e4d964b6058ad37c9ab24165e7a650a73c4eb9e1d8c38bb1dff4a44f476b67cfc271441ec1f66e883d573ebf26ffc946114c83d1a93a206fd
-
Filesize
203B
MD54d089eba092ebf888c600aabf5308fdd
SHA18593f151679075bb8661c93d57c1c8bb3ff0459a
SHA256a22e40736551349cd74d7337b64aeb7fb9ef09ab6c358453b1e5bdd479345e63
SHA5126bda0e20385bafe53b30d9e649cd86e504da6301432befcab63c80b8e36a0519ee8dca1414f119e0578c430733de975fe3fc839adbf6a7bed42dd6bfb47c0b1b
-
Filesize
203B
MD5979bdc13592558e1c04d1c499b85d1f9
SHA18604578d694d364e2344832102c764973405a04b
SHA25688a1bf7973e60bfd73e77381f26e8aa99494f23d0e44ee0b2e3c81d7ef91475e
SHA512f9f43725700477c1c85ca9cd16954f8f58539c879faa6712968b60224ef14843241f0211bbb1c45a92e52c14fccd77e943dc716ee3ecf57daa9f41a5da1f06a2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
203B
MD5d69c47b542385c56955d7f0c9857dfb1
SHA1dd2939a86e7809a0cab9e713bba0a4edd0e7a413
SHA256602da3e091fb15d1ba841575d0ef2497c8e5a1ebc4ca92a36e3c34f9540cff58
SHA5125aa30e673a99ebf956233d890cc125f637936f127499072ef005f2e438f8052eecc92b56b0550c119acde2242b2a4667e05f48ca7f1be6a8e5cc349f871a6d92
-
Filesize
203B
MD5139bdda3aa2145a4f75b287ee816cdfd
SHA14a5b570b73ba2b943eb0f87ee627ad9e206d07fa
SHA25658d4c848accbb27a9a01a7a1741579b8e022165b8902b8aaf3ec05d35b159266
SHA5129e9ce19318f20e3270d0a9244924ab469444a70294fc04f836e4959ccb1624475489905ff84a2fbdfe7a79e198fe2490a33a561f9a4c671d49097bba8363a60d
-
Filesize
203B
MD5a5212913841b80d44b9e4a8cdeb54178
SHA1a9d7d692e3a6c15d5824321ff5b55b52228a6225
SHA25648f0f667fe1073e4fc888bf8e2fc4bc123d6685598ffb65d7dc086b33aa078dd
SHA51296065465d44509a0690955cdd55d4edbbf641757eec4ee456225d75f6513450e2eeccb738575a874743aaa52efb2a5cd2d688e026974f46778682a2364b434fa
-
Filesize
203B
MD5996f431ca14081aa4e64a8a65f0d9a67
SHA1797f0145f62f85baf015268ec12a9120c4476d95
SHA256f5ea9f19fc4c0701813158dab886755df29bf6fda93faefc8acfb02fbe997c87
SHA512abb64c07ab6abe3cc6960a32fc15d273bf9431cc6c08b3a2a7d33c5f62f9625dc7c95414a4ca52c1e5d7c16d851dd2af91be0bd3b1da49b741dade5cedcbaedb
-
Filesize
203B
MD5ed644581d0fede13e24a5e37a47173a2
SHA1a41b0babc9a624946eba4f51d84af0c462d11246
SHA25678f12fad6668fd76129e4e21ddc22e1651dc6f70a32879a1ea209a9ddcd40134
SHA512293fa0623a2b25b69926a6e79c13ff188d776b6778eb070d67f67942a176c739b6385a642dd630e0200f801b56738568280cf78e6be7d901055b47e84eed7afa
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478